Data Processing Addendum

Interpretation
1. Capitalised terms used in this DPA and not otherwise defined in the Agreement (together, being the TOD Subscription Terms and the Services Proposal entered into between the Customer and TOD) shall have the meaning given to them in the Data Protection Legislation.
2. If there is a conflict between the Agreement and this Data Processing Addendum, the terms of this Data Processing Addendum shall prevail. In the event of any conflict or inconsistency between this Data Processing Addendum and the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.
Data Processing Obligations
1. The Parties acknowledge and agree that for the purposes of the Data Protection Legislation, the Customer (being the customer entity identified in the Services Proposal) is the Data Controller and TOD is the Data Processor of the Personal Data and a description of the Personal Data and the Processing activities undertaken by TOD is set out in clause
TOD's processing obligations
1. To the extent that TOD processes any Personal Data on behalf of Customer in connection with the Services, TOD shall:
  1. only Process such Personal Data in accordance with the purposes set out in this Agreement and notify Customer immediately if in its opinion the Customer’s instructions infringes applicable law;
  2. maintain a record of its Processing activities under this Agreement in accordance with and to the extent required by Article 30(2) GDPR, and TOD shall at any time upon request, deliver up to Customer details of such Processing activities;
  3. ensure that access to any such Personal Data is restricted to those of its personnel who need to have access in order to perform the Services and who are subject to confidentiality obligations in respect of the Personal Data;
  4. notify Customer without undue delay if it suffers a Personal Data Breach, if it receives any Data Subject Request relating to the Personal Data, and shall: (a) not respond to the Data Subject Request without Customer’s prior written consent and in accordance with Customer’s instructions; and (b) shall provide such assistance as Customer may reasonably require in respect of such Personal Data in order for Customer to comply and respond to the Data Subject Request in accordance with the Data Protection legislation;
  5. provide reasonable assistance to Customer in inputting into and carrying out data protection impact assessments and, to the extent required under the Data Protection Legislation, prior notification under Article 36 of GDPR; and
  6. ensure that it has implemented appropriate organisational and technical measures in order to comply with its obligations under this paragraph 3.
2. To the extent legally permitted, Customer shall be responsible for any costs arising from TOD's provision of assistance beyond the existing functionality of the Services.
3. TOD is permitted to engage a Sub-processor to Process any of the Personal Data on Customer’s behalf in connection with the Services. The Customer pre-approves TOD's use of third-party processors for the purposes of fulfilling its obligations, including those Sub-processors listed here: https://www.tod.tax/privacy]. TOD shall:
  1. inform Customer prior to the appointment or removal of any such Sub-processor, thereby giving Customer an opportunity to object to the appointment or removal. If Customer objects on reasonable grounds, TOD shall either: i) alter its plans to use the Sub-Processor with respect to Personal Data, or (ii) take corrective steps to remove Customer’s objections. If none of the above options are reasonably available or the issue is not resolved within 30 days of the objection, either party may terminate this Agreement; and
  2. ensure that such Sub-processor is subject to a written agreement which imposes on it binding contractual obligations which are equivalent to the terms imposed on TOD under this DPA; and
  3. ensure that the Sub-processor’s Processing of such Personal Data terminates upon termination of TOD's right to Process the data, provided that TOD shall be liable for the acts and omissions of such Sub-processors in relation to the Processing of such Personal Data.
4. Customer acknowledges that TOD and its Sub-Processors may Process Personal Data outside of the EEA or UK in non-adequate countries. TOD will abide by the requirements of the Data Protection Legislation regarding the transfer and Processing of Personal Data from the EEA or UK. TOD will ensure that transfers of Personal Data to a third country or an international organization that does not ensure an adequate level of protection are subject to appropriate safeguards as described in Article 46 of the GDPR or UK GDPR such as the Standard Contractual Clauses.
5. In the event any replacement Standard Contractual Clauses include a transition period for implementation, TOD shall notify the Customer of the date on which such Standard Contractual Clauses shall become effective which in any event shall be prior to the expiration of such transition period.
6. Upon termination or expiry of this Agreement, TOD shall cease all Processing of any Personal Data Processed on Customer’s behalf under this Agreement and shall, at Customer’s option, return or destroy and delete all such Personal Data.
7. In order to demonstrate the TOD’s compliance with the Data Protection Legislation and the terms of this DPA, TOD shall:
  1. provide Customer with such information as Customer reasonably requests from time to time to enable Customer to satisfy itself that TOD is complying with its obligations under this DPA and the Data Protection Legislation; and
  2. allow Customer, at Customer’s sole cost and expense access (on reasonable notice and no more than once a year) to its premises where Personal Data is Processed under this Agreement to allow Customer to audit its compliance with this DPA and the Data Protection Legislation and shall provide reasonable co-operation as requested by Customer in the performance of such audit. The Parties shall agree in advance on the reasonable start date, duration and security and confidentiality controls applicable to such audit.
Obligations of Customer
1. Customer shall:
  1. have at all times during the term of this Agreement appropriate technical and organisational measures to ensure a level of security appropriate to the risk to protect any Personal Data;
  2. provide clear and comprehensible written instructions to TOD for the processing of Personal Data to be carried out under this Agreement; and
  3. ensure that it has all the necessary licences, permissions, consents and notices in place to enable lawful transfer of Personal Data to TOD for the duration and purposes of this Agreement.
Processing Particulars
1. Data Subjects. The categories of Data Subjects whose Personal Data may be Processed in connection with the Agreement are employees, contractors, agents and shareholders of the End Client.
2. Categories of Personal Data. The categories of Personal Data to be Processed in connection with the Agreement are name, bank account details, address, email address, phone number, national insurance number, unique taxpayer reference number.
3. Special Categories of Personal Data. Special categories of Personal Data, if any, to be Processed in connection with the Agreement are N/A
4. Processing Operations. Handling, storing and processing Personal Data for the purposes of carrying out the Services provided under the Agreement.
5. Duration. TOD will Process the Personal Data on the Customer's behalf for the duration of the Agreement.